Thread Info
  • Locked Locked
  • Replies 296 replies
  • Subscribers 52 subscribers
  • Views 743922 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Issue: Sophos Central Admin – US-West region - Delays with the enforcement of Central policies on managed endpoints.

Bianson

**Update 9** Root cause analysis KBA has been published: see knowledge base article for the latest.

**Update 8** As part of a routine database maintenance task customers may notice a few intermittent install and policy rendering failures. Please retry before contacting support. 7/17/2017 8:00 AM PST

**UPDATE 7** Some customers may notice a few intermittent install failures, please retry before contacting Sophos Support. 7/14/2017 2:00 PM PST

**UPDATE 6** Installations are being processed normally, service is restored. Please re-download installer from Central. 7/14/2017 9:00 AM PST

**UPDATE 5** Installations are now working as of July 13, 2017 19:00 UTC-5. See knowledge base article for the latest.

**UPDATE 4** New installs likely to still fail. http://centralstatus.sophos.com/#!/ has latest update. 

**UPDATE 3** System is now processing backlogs. Please see last updates here.

**UPDATE 2** Issue is ongoing, apologies. Impacts all areas within Central that rely on MCS communication between client and Central. 7/13/2017 8:00 AM PST

**UPDATE** Development has identified root cause and is working on a fix. 

Hello,

We are seeing delays with policy changes and enforcement in Sophos Central (US-West region) as well as installation failures due to inability of new endpoint installations to initially register. Our engineers are working to restore latency. Please note your endpoints remain protected. Updates will be provided on this thread.

KBA: https://community.sophos.com/kb/en-us/126477

Thank you,

Bob



This thread was automatically locked due to age.
Parents

  • Hey fellow Sophos Central users.

    This thread has grown quite long, and for the last several months there has been very little real insight or action from Sophos.

    Make your voices heard outside of this thread.  There are several IT software review platforms that can be used to share your experiences.

    Gartner Peer Insights - https://www.gartner.com/reviews/market/Cloud-Workload-Protection-Platforms/vendor/sophos?pid=12411

    G2Crowd - https://www.g2crowd.com/products/sophos-endpoint-security/reviews

    TrustRadius - https://www.trustradius.com/products/sophos-endpoint-protection/reviews

  • in reply to Dan Orth

    Thanks for this. I will definitely be making my voice heard at Gartner.

    Sophos shouldn't be listed anywhere on the Quadrant at this time with the state of its Cloud software in such disarray. 

  • in reply to Trevor Karppi

     

    Does Sophos have a "TOOL" to remove their agents from workstations/.

     

     

     

     

     

  • in reply to Howiedog

    Oh why in the world would they make that easy either??????? You have to do the tamper protection key and then uninstall manually as far as I know.

  • in reply to Howiedog

    I know the feeling during our purchase we had some issues with the pricing vs quote and I could not talk with the sales manager,

     

    He was in the Bahamas or some place like that because they had "hit there numbers" would hope they would have put that $$$ to building a better product.

  • in reply to Trevor Karppi

    Trevor Karppi said:

    Oh why in the world would they make that easy either??????? You have to do the tamper protection key and then uninstall manually as far as I know.

     

    I would be even better if Tamper Protection actually worked when you told it to STOP PROTECTING so you can uninstall the software.

    Did that, tried that. Sophos keeps complaining the the Tamper Protection...the one I just turned off by selecting PC from Dashboard and turning off TP, ......is still running. So when I go to try and uninstall this so called agent, Unable to Uninstall, Tamper Protection must be turned off.....

    Then you just get to go around in circles.

    This software in a nut shell DOES NOT WORK.

     

  • in reply to Howiedog

    This is all I can give you to get tamper protection off of a machine that is corrupted. It's the biggest pain in the butt but it does work. I speak from personal experience as I've had to do this on 20 machines in our company already... Please give your comments in the forum on this process :)

    Do this:

    Sophos Central managed client:

    To recover a tamper protected system, you must disable Enhanced Tamper Protection.
    Do the following:

    1. Boot the system into Safe Mode.
    2. Click Start > Run > services.msc > right-click Sophos Anti-Virus service > properties > set to disabled > OK
    3. Click Start Run and type regedit and then click OK.
    4. Go to the following location in the registry editor:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent and set the REG_DWORD Start to 0x00000004
    5. Go to the following location in the registry editor:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config and set the following REG_DWORD values SAVEnabled and SEDEnabled to 0
    6. Go to the following location in the registry editor:
      HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\TamperProtection and set the REG_DWORD Enabled to 0
    7. Reboot the system in normal mode.

    Enhanced Tamper Protection is now disabled.
    You should now be able to access the system.

    https://community.sophos.com/kb/en-us/124377

  • in reply to Trevor Karppi

    I can speak from personal experience that this process often does not work.  I tried opening a support case when it didn't, but I found I got a better response from a brick wall.  In the end, I found we need to re-image the machines where tamper protection is broken.

  • in reply to K_M

    Wow what happened? Not one of mine failed, were you logged into the machine with the local admin account in safe mode?

  • in reply to Trevor Karppi

    I was logged in as local admin.  Perhaps it is something with x86 vs x64 as the keys reference the WOW6432Node but it doesn't have separate steps for each type of architecture.  I found Sophos often doesn't know how their own product works so this is nothing new.

    My personal favorite was when clamav.exe was using high CPU and support told me to uninstall it as it causes problems with Sophos.  A simple check told me that clamav.exe was called by Sophos and was part of their product (don't know if it still is, but at the time it was).  In other words they told me to uninstall Sophos to fix the computer.

     

  • in reply to Trevor Karppi

    Ohhhh damn.

     

    This just get Uglier and uglier. User is a road warrior who I may not see for weeks on end.

    Remote desktop into Safe Mode...not sure if that can even be done.

    Let the user take control.....not likely.

     

     

     

     

     

     

     

     

     

     

     

     

  • in reply to Howiedog

    I feel your pain my friend! Thankfully we use Bomgar so we can remote reboot a computer into safemode with networking. I'll let you know if I can think of a different way to do this.

Reply Children
No Data
Unfiltered HTML